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(57) Abstract: A system of route tai^ct filtering includes an import filter receiving a plurality of routes having a next hop routing 
information. The import filter accepts a first subset of the routes according to an import target policy. The system further includes a 
re-export filter also receiving the plurality of routes. The re-export filter modifies the next hop information of a second subset of the 
routes, and distributes the modified routes. 
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SYSTEM AND METHOD OF VIRTUAL PRIVATE NETWORK ROUTE TARGET FILTERING 

TECHNICAL FIELD OF THE INVENTION 

This invention relates to telecommunications network and equipment, and more particularly, to a 
system and method of virtual private network route target filtering. 

5 BACKGROUND OF THE INVENTION 

Request for Comment (RFC) 2547bis provides out a virtual private network (VPN) model that 
uses border gateway protocol (BGP) to distribute VPN routing information across the service provider's 
backbone and Multi-protocol label switching (MPLS) to forward VPN traffic from one VPN site to 
another. RFC 2547bis defines a VPN as a collection of policies, and these policies control comiectivity 

10 among a set of sites. A customer site is connected to the service provider network by one or more ports, 
where the service provider associates each port with a VPN routing table. RFC 2547bis calls tiie VPN 
routing table as a VPN routing and forwarding (VRF) table. A customer edge (CE) device provides 
customer access to the service provider network over a data link to one or more provider edge (PE) 
routers. The CE device can be a host, a Layer 2 switch, or more commonly, an IP router that establishes 

15 an adjacency with its directly connected PE routers. After the adjacency is established, the CE router 
advertises the site*s local VPN routes to the PE router and learns remote VPN routes from the PE router. 
After learning local VPN routes from CE routers, a PB router exchanges VPN routing information with 
other PE routers using IBGP. 

A route distinguisher (RD) is an identifier that is used to differentiate IP addresses or IPv4 

20 prefixes of a VPN from another because customers may not use globally unique IP addresses. RFC 
2547bis constrains the distribution of routing information among PE routers by the use of route filtering 
based on a route target (RT) attribute, which is one of the BGP extended community attributes. Route 
targets include import targets and export targets. The import target of a site governs which sites* route 
update information or advertisement it will accept; the export target of the site specifies what import 

25 target the sites it advertises to should include. 

An enterprise's VPN may be configured in a hub-and-spoke topology where the firewall is the 
hub through which all traffic is routed. The hub site's VRF table is configured with an export target = 
hub and an import target = spoke. The VRF table at the hub site distributes all of the routes in its VRF 
table with a hub attribute that causes the routes to be imported by the spoke sites. The VRF table at the 

30 hub site imports all remote routes with a spoke attribute. The VRF table at each spoke site is configured 
with an export target = spoke and an import target = hub. The VRF table at each spoke site distributes its 
routes with a spoke attribute, which causes the routes to be imported by the hub site, but dropped by other 
spoke sites. The VRF table at a spoke site imports only routes with a hub attribute, which causes its VRF 
table to be populated only with routes advertised by the hub site. 
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In conyentional VPNs, policy-based routing around the firewall in the hub-and-spoke topology 
requires either the knowledge of the ff v4 prefix or the use of at least two router ports in order to route 
packets to the spokes from the hub. The reliance using the IP address is tedious and labor intensive, and 
using an extra router port is inefficient and costly. 

5 

SUMMARY OF THE INVENTION 

In accordance with an embodiment of the present invention, a system of route target filtering 
includes an import filter receiving a plurality of routes having a next hop routing information. The import 
filter accepts a first subset of the routes accordmg to an import target policy. The system further includes 

10 a re-export filter also receiving the plurality of routes. The re-export filter modifies the next hop 
information of a second subset of the routes, and distributes the modified routes. If desired, the re-export 
filter may also modify the RD and RT information of the second subset of the routes. 

In accordance with another embodiment of the present invention, a network includes a hub node, 
and a plurality of spoke nodes in communications with one another via the hub node. The hub node 

15 includes an import filter receiving a plurality of routes. The plurality of routes each has a next hop 
routing information. The import filter accepts a first subset of the routes according to an import target 
policy. Thenetworkalsoincludesare-exportfilterreceiving the plurality of routes. The re-export filter 
modifies the next hop information of a second subset of the routes, and distributes the modified routes. If 
desired, the re-export filter may also modify the RD and RT information of the second subset of the 

20 routes. 

In accordance with yet another embodiment of the present invention, a method includes ttie steps 
of receiving a plurality of routes each having a next hop routing information, accepting a first subset of 
the plurality of routes according to a predetermined policy, modifying flie next hop information of a 
second subset of the plurality of routes, and distributing the modified routes. 
25 The present invention uses re-export filters to modify tiie advertised routes and sends the 

modified routbs to (he route reflector for distribution. The routes of nodes within the VPN is modified to 
have the next hop information as designating the firewall node. The present invention thus provides a 
way to perform policy routing around a firewall for a VPN based on RFC 2547bis without the 
disadvantages associated with the use of IP prefix knowledge or an extra port. 

30 

BRIEF DESCRIPTIQN OF THE DRAWINGS 

For a more complete understanding of the present invention, the objects and advantages thereof, 
reference is now made to the following descriptions taken in connection with the accompanying drawings 
in which: 

35 FIGURE 1 is a simplified block diagram of a virtual private network (VPN) configured with a 

firewall according to the teachings of the present invention; and 

2 
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FIGURE 2 is a> simplified diagram of an embodiment of the route target filtering scheme 
according to the teachings of the present invention. 

DETAILED DESCRIPTION OF THE DRAWINGS 
5 The preferred embodiment of the present invention aad its advantages are best imderstood by 

referring to FIGURES 1 and 2 of the drawings, like numerals being used for like and corresponding parts 
of the various drawings. 

FIGURE 1 is a simplified block diagram of a virtual private network (VPN) 10 configured in a 
hub-and-spoke configuration with a firewall as the hub 12 according to the teachings of the present 

10 invention. Hub 12 is a customer edge (CE) device of Sitei 16, which is coupled to a provider edge (PE) 
device 14 of a provider's network- A site is defined by Request for Comment (RFC) 2547bis as a 
collection of customer routers with IP connectivity. Virtual private network 10 is a set of sites, including 
SitCi 16, Site2 18, SitCa 20, and Site4 22. Provider edge device 14 may be directly or indirectly coupled to 
customer edge devices 24-28 of Site2 18, Sites 20, and Site4 22, respectively. Communication to and from 

15 an extranet 20 is done via customer edge device CEi 12, which is the firewall. According to the teachings 
of the present invention, this is done using a route target filtering scheme which does not have the 
disadvantages of conventional methods. 

FIGURE 2 is a simplified diagram of an embodiment of the route target filtering scheme 
according to the teachings of the present invention. The hub, CEi 12, receives routes fi:om a route 

20 reflector (not shown), which is a centralized distributor of routes, Xhe route information includes the 
route distinguisher (RD), route target (RT), and next hop (NH): 

RouteInformation^{RD,RT,NH} 

25 Next hop information may include the provider edge external virtual private router IP address and the 
Iflhdex. Other route information such as the site of origin, the VPN identifier and the Pv4 prefix may 
also be included in the route. A set of import filters 40 is used to determine which routes should be 
accepted and which routes should be rejected. Inq)ort filters 40 include a mask used to compare the 
route input to certain route information such as route target values. For exanq}le, the mask is used to 

30 indicate which route information field should be compared to the target value: 

Mask{Q 1 1,0 1 1,0 1 1} , Fa/Me(*,*,*}^c/zo»= accept] discard 

If the mask is set or one for a specific field, then Hie corresponding value for tiiat field is compared with 
35 the received route; if the mask is clear or Teto for a specific field, tiien the corresponding value for flut 
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field is not compared. Upon a match between the route information and the conq>are value, the route is 
either rejected or accepted. The accepted routes are passed on for route advertisement 

The filtering scheme also includes export filters, local export filters 42 and re-export filters 44. 
Local export filters 42 perform port level-based VPN assignments. Local export filters 42 receive routes 
5 firom the PE-CE routing protocol and apply at least one filter. The accepted routes are exported to the 
proper route reflector. Re-export filters 44 also receive routes firom the route reflector as input. The 
accepted routes are modified with a different route distinguisher, route target, and next hop information 
and redistributed to the route reflector. 

As an illustrative example, customer edge device, CE, 12, has import targets RTr, RTs and RTt. 

10 Its spokes, CE2, CE3 and CE4, each respectively advertises export route targets RTr, RTs and RTt. Sites 
16-22 belong to a VPN that is distinguished by route distinguisher RDi, for example. Therefore, route 
information advertised by CE2 to the hub, CEi, for example is {RD, RT, NH} = {RDj, RTr, CE2}. Re- 
export filter, upon receiving this route, modifies the route to be {RD, RT, NH} = {RD2, RTx, CEi}, for 
example. One or more sites in extranet 30 may import routes with RTx as the route target It is led to 

15 believe that to communicate with site 18 would require it to communicate with CEi 12 because CEi is 
designated as the next hop in the route information. A different route distinguisher, RD2, is attached to 
the modified route in order to avoid duplication in the route reflector. 

In tins manner, routes to sites wifliin a VPN are advertised with the firewall node as the next hop, 
so that all communications are routed via the firewall. The present invention does not require the 

20 manipulation of the IPv4 prefix or the use of an extra router port at the provider edge device to route data 
to sites within the VPN and outside the VPN. This saves the labor intensive and tedious management and 
manipulation of the IPv4 prefix and the costs associated with the extra router port. As IP addresses are 
constantly changing, independence therefi-om also provides added benefits. The present invention may be 
applicable to other situations where redirected routes are needed. 

25 While the invention has been particularly shown and described by the foregomg detailed 

description, it will be understood by those skilled in the art tiiat various changes, alterations, 
modifications, mutations anH derivations in form and detail may be made without departing fi-om the 
spirit and scope of the invention. 
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WHAT IS CLAIMED IS : 

1 . A system of route target filtering, comprising: 

an import filter receiving a plurality of routes, the plurality of routes having a next hop routing 
information, the inq)ort filter accepting a first subset of the routes according to an import target policy; 
5 and 

a re-export filter receiving the plurality of routes, modifying the next hop information of a second 
subset of the routes, and distributing the modified routes. 

2. The system, as set forth in claim 1, wherein the re-export filter modifies the next hop 
10 information to be the address of a router serving as a f^ewall of a network, 

3. The system, as set forth in claim 1, wherein the re-export filter modifies the next hop 
information to be the address of a firewall of a virtual private network. 

15 4. The system, as set forth in claim 1, wherein the re-export filter comprises a mask, a value 

for comparison with the route, and an action to take in response to a match between the route and the 
comparison value. 

5. The system, as set forth in claim 1, wherein the plurality of routes each comprises a route 
20 distinguisher, a route target, and the next hop mformation. 

6. A network, comprising: 
a hub node; 

a plurality of spoke nodes in communications with one another via the hub node; and 
25 the hub node including: 

an import filter receiving a plurality of routes, the plurality of routes having a next hop 
routing information, the import filter accepting a first subset of the routes according to an import 
target pohcy; and 

a re-export filter receiving the plurality of routes, modifying the next hop information of 
30 a second siibset of the routes, and distributing the modified routes. 

7. The network, as set forth in claim 6, wherein the re-export filter modifies the next hop 
information to be the address of the hub node. 

35 8. The network, as set forth in claim 6, wherein the re-export filter modifies the next hop 

information to be the address of the hub node serving as a firewall for the network. 

5 
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9. The network, as set forth in claim 6, wherein the re-export filter modifies the next hop 
information to be the address of the hub serving as a firewall of a virtual private network. 

10. The network, as set forth in claim 6, wherem the re-export filter comprises a mask, a 
S value for comparison with the route, and an action to take in response to a match between the route and 

the comparison value. 

11. The network, as set forth in claim 6, wherein the plurality of routes each comprises a 
route distinguisher, a route target, and the next hop information. 

10 

12. The network, as set forth in claim 6, wherein the hub node is a customer edge device 
coupling a site to a provider network. 

13. A method, comprising: 

15 receiving a plurality of routes each having a next hop routing information; 

accepting a first subset of the plurality of routes according to a predetermined poUcy; 
modifying the next hop information of a second subset of the plurality of routes* and 
distributing the modified routes. 

20 14. The method, as set forth in claim 13, wherein modifying the next hop information 

comprises modifying the next hop information to be the address of a router serving as a firewall of a 
network. 

15. The method, as set forth in claim 13, wherein modifying tiie next hop information 
25 conq>rises modifying the next hop information to be the address of a firewall of a virtual private network. 

16. The method, as set forth in claim 13, wherein the re-export filter comprises a mask, a 
value for comparison with the route, and an action to take in response to a match between the route and 
the comparison value. 

30 

17. The method, as set forth in claim 13, wherein receiving the plurality of routes comprises 
receiving a route distinguisher, a route target, and the next hop information. 
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